231124ARCPaper7Appendix2Riskregister
Risk Register as at 14 November 2023
Page 1 of 2 Audit and Risk Committee Paper Appendix 2
| Risk reference | Old reference | Theme | Risk category | Risk description | Mitigation/controls in place | Current impact | Current likelihood | Risk score | Trend | Comment | Planned actions | Due date | Risk appetite | Target impact | Target likelihood | Target risk score | Risk owner | Date last updated |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1 | A1 | All Resources | financial | Public sector finances constrain capacity to allocate sufficient resources to deliver corporate plan. | Preventative: Ongoing liaison with Scottish Government highlighting achievements of CNPA. Preventative: Corporate plan prioritised around anticipated Scottish Government budget allocations, taking on Board expectation of funding constraints. Remedial: Focus resource on diversification of income streams to alternate, non-public income generation. Remedial: Continuing to support “delivery bodies” such as Cairngorms Nature, Cairngorms Trust in securing inward investment. | 5 | 3 | 15 | Escalating | Risk escalation reflects Scottish Government’s continued and heightened concerns on forward stability of current financial allocations; risk of in-year adjustments, and risk over future year funding levels. All mitigating actions in place and operational. | Open | 3 | 3 | 9 | David Cameron | 05/31/2023 | ||
| 2 | A12.2 | All Resources | financial | The scale of CLLD Funding secured for Cairngorms communities does not meet required levels as a consequence of UK Funding not recognising National Parks as administrative entities and Scottish Government funding changing priority. | Preventative: prioritise engagement in consultations and events around the future development of structural and community funding. Remedial: continue to support work of Cairngorms Trust in attracting voluntary donations toward community action – although this is likely to remain at a much smaller scale for some time. Remedial: continue to review opportunities for funding bids to other non-governmental funding sources. Preventative: work on C2030 potentially secures an additional £1m over 5 years and as such may remove this from a strategic profile risk if secured. | 3 | 3 | 9 | Static | Positive movement continuing across policy development areas within Scottish Government around the continuity of some form of CLLD with 2023⁄24 funding allocations in place, while limited by current in-year spending pressures. However, opportunity to access UK Government funding to replace EU losses still very unclear. Wider changes to agri-environment schemes and impact of change also remains highly uncertain. | Open | 3 | 3 | 9 | David Cameron | 05/31/2023 | ||
| 3 | A13 | Place Resources | financial | Scale of asset responsibilities such as for paths, outdoor infrastructure (e.g. legal path maintenance agreements) is not adequately recognised and does not secure adequate forward maintenance funding. | Remedial: Review of accounting policies and the potential to recognise ensuing financial liabilities on the balance sheet so as to raise awareness with Scottish Government. Ensure full consideration is given in budget reviews. Preventative: Capital bids to government; alternate funding sources such as voluntary giving to be explored more actively. Work on Strategic Tourism Visitor Infrastructure Plan to focus action. | 2 | 3 | 6 | Managed | Added by MT / OMG April 18. Significant increase in capital allocation has allowed scope for increased programming of maintenance over 2021 to 2025. Potential to remove from strategic risk oversight at this time? Relatively small areas that are not very public and fairly low cost. | Open | 2 | 3 | 6 | David Cameron | 05/31/2023 | ||
| 4 | A13 | All | Technical | CNPA IT services are not sufficiently robust/secure/or well enough specified to support effective and efficient service delivery. Increasing demand for knowledge around Microsoft 365 and cyber security is outstripping the team’s knowledge/skill-set. Increasing ICT dependency for effective and efficient operations is not adequately backed up by ICT systems support. | Preventative: Develop and consult on the forward plans for ICT service development to ensure these meet service requirements. Remedial: External consultancy to develop our IT strategy — organisational development, technical improvements and upskilling. Remedial: New ICT Strategy to be developed to reappraise position on IT dependencies and establish a focus for future digital development across the Authority. Clear action planning to evolve from final ICT strategic direction once agreed. Preventative: Deploy timetabled action plan against approved ICT Strategy. | 3 | 4 | 12 | Escalating | Retained as a risk rather than merged into other IT risks following May 2022 ARC review. Internal audit report on IT Strategy sets out key actions in this area of risk management around IT Strategy development, project management and costing of IT action plans to be implemented. Operational Management Group Movement into Microsoft 365 deployment and cloud based systems has involved significant work and some disruption to staff operations. Internal audit work reinforces need to focus on project management of activities both for management of processes and improved organisational communications. IT operational risk register has identified potential for structural improvement. These considerations to be developed further, with the potential for external consultancy to develop our IT strategy — organisational development, technical improvements and upskilling. | Cautious | 3 | 2 | 6 | David Cameron | 11/07/2023 | ||
| 5 | A9.3 | All Resources | staffing | Our Corporate and Operational Planning systems do not adapt to delivery of major funded programmes alongside delivering ‘core’ national park objectives. This leads to workforce stretch between 3rd party funding delivery and ‘core’ corporate plan activities with increased risks of stress and reduced morale. | Preventative: Strategic and operational plans will be developed with externally funded project delivery as intrinsic elements of plans to ensure delivery capacity is considered fully. Importance of staff management and task prioritisation reinforced through leadership meetings. Focus on fewer, larger impact projects (C2030 Heritage Horizons) Remedial: Performance Development Conversations (PDCs) being deployed regularly with all staff to check on staff workloads, with 2 way flows of communications enabled through that process on staff workload and capacity. | 4 | 5 | 20 | Escalating | Additional recruitment in 22⁄23 and 23⁄24 to alleviate key staff pressure points complete. Fixed term staff contracts reviewed throughout the year. Likelihood of risk therefore declining and risk profile therefore reducing. Impact of measures and risk profile will continue to be closely monitored through staff management processes. | Open | 3 | 4 | 12 | David Cameron | 11/07/2023 |
Page 2 of 2 Audit and Risk Committee Paper Appendix 2
| Risk reference | Old reference | Theme | Risk category | Risk description | Mitigation/controls in place | Current impact | Current likelihood | Risk score | Trend | Comment | Planned actions | Due date | Risk appetite | Target impact | Target likelihood | Target risk score | Risk owner | Date last updated | ||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 6 | A18 | All | Technical | Cyber security is inadequate to address risk of cyber-attack on systems. Use of AI increases risk of cyber security threats such as spear phishing. | Preventative: Implementation of Scottish Government Cyber Security Action Plans and internal audit recommendations on IT security. Ongoing review of systems and procedures in tandem with LLTNPA and through consultancy. Rescope arrangements through IT Strategy. | 3 | 3 | 9 | Escalating | Added by MT / OMG April 18. Additional cyber security measures invested in and implemented. Aware of increased risks highlighted by national agencies during COVID response. Cyber security plus accreditation being reapplied for. Reviewing options for further increased security measures. Invest in strengthening cybersecurity infrastructure and training staff to handle potential threats. This includes regular security audits, incident response planning and promoting a security-first culture. Cyber security plus accreditation being reapplied for. Considering options for consultancy to review systems and procedures. | Cautious | 3 | 2 | 6 | David Cameron | 11/07/2023 | ||||
| 7 | A20 | All | Technical | Change in financing IT services and the switch from capital to revenue provision places an unmanageable pressure on the Authority’s budget capacity. | Remedial: Monitor pattern of IT Investment costs as regards the capital and revenue split of resourcing requirements; build impacts into ongoing budget deliberations with Scottish Government. | 2 | 2 | 4 | Managed | Budgets have been sufficient in both 2022⁄23 and 2023⁄24 to accommodate the costs of SAAS. Continued expansion of our use of the Microsoft suite of products may lead to increased cost, but this will be controlled by allocation of appropriate licences. Installation of a new finance system (2024÷25) is likely to add cost pressure. Added by Audit Committee 8 March 2019 following “deep dive” IT risk review. Risk remains live as we implement a refreshed ICT Strategy and move to more cloud / service solutions. While there was sufficient budget cover for the initial implementation of cloud based services in 21⁄22, the final position will crystallise over 22⁄23 and into the 23⁄24 budget. | Cautious | 2 | 2 | 4 | David Cameron | 05/31/2023 | ||||
| 8 | A22 | All | Technical | Business Continuity Plans (BCP) are inadequate to deal with significant impacts to normal working arrangements and result in service failure. | Preventative: Overhaul of BCP developed in 2014 with reporting on development of plans through Management Team and Audit and Risk Committee. Test BCP arrangements once plan in place and communicated. Remedial: internal audit review of COVID19 over winter 20⁄21 will lead into lessons learned on wider BCP. | 4 | 4 | 16 | Static | Added by Audit Committee May 2019 following internal audit review of BCP. Delay in finalisation of BCP documentation itself as we focus on establishment of hybrid working arrangements post COVID. However, work on BCP has considerably assisted in roll out of initial and ongoing responses to Coronavirus pandemic with evidence, including very positive staff feedback, that BCP implementation has been effective. Consultancy required to assist in developing new approach to BCP. | Cautious | 2 | 3 | 6 | David Cameron | 05/31/2023 | ||||
| 9 | A24 | Nature & conservation | Strategic delivery | The Authority’s range of powers combined with strategic partnerships is insufficient to deliver outcomes on wildlife crime. | Remedial: use NPPP development processes to explore partnership attitudes, engagement and powers which they may add to the current controls. Preventative: explore potential for licencing or other regulatory arrangements to contribute to more effective control framework; Tracker/satellite monitoring deployment; | 4 | 4 | 16 | Decreasing | Added by SMT risk review May 2021 Licencing schemes coming into operation and trackers in place for some raptors. Declining risk profile. | Open | 3 | 4 | 12 | Andy Ford | 05/31/2023 | ||||
| 10 | A25 | Nature & conservation | Strategic delivery | The Authority’s Peatland Programme outcomes may be adversely impacted by: Lack of internal capacity within the Peatland team; Lack of contractor capacity; and/or Lack of land manager engagement. | Preventative: interaction with skills and economic development agencies to highlight the problems of contractor capacity and scale of future programme; Preventative: close liaison with land management community around programme and participation. Design of support. Remedial: phasing of works to act on more straightforward, less technical areas to assist new contractors to enter market and develop skills and understanding; reprofile capital expenditure to recognise more expensive, more complex projects coming toward end of funding period. | 3 | 4 | 12 | Static | Added by SMT risk review May 2021 Recent evidence suggests increased level of response to peatland tenders and evidence of some new entrants to this market. Some ongoing evidence of success of risk mitigation measures, with programme on target for delivery of area of restoration for second year in succession. Internal capacity within the Peatland team is also having an impact on the speed of delivery. Inclusion of peatland restoration in the C2030 programme extends the project over multiple years, easing annual time pressures. | Open | 3 | 4 | 12 | Andy Ford | 05/31/2023 | ||||
| 11 | A26 | All | Reputation | Reliance on partners’ delivery of key communication messages is ineffective, resulting in blurred, disjointed communications and failure to achieve communications objectives. | Preventative: agree partnership frameworks that explicitly set out expectations and outcomes of collaborative activities and establish adequate control mechanisms; Preventative: specifically monitor and feedback on communications effectiveness where there are partnership dependencies Remedial: conduct review meetings that track and document progress and escalate any issues arising to appropriate governance groups. Remedial: review brand management and approaches to partnership linkages through brand | 3 | 4 | 12 | Escalating | Added by SMT risk review May 2021. Work remains to be undertaken around these preventative and remedial mitigation measures. Reputation management — recent issues around Glenmore (wildfires, parking etc) plus handling of key responsible behaviour messaging. | Open | 3 | 4 | 12 | Grant Moir | 05/31/2023 | ||||
| 12 | A27 | Nature & conservation | Strategic delivery | Approaches to conservation and protection of endangered species may be insufficient to achieve associated strategic outcomes. | Remedial: review current approaches in context of relevant data sources to determine adequacy of current approaches. Remedial: use NPPP delivery processes to test potential for enhanced/revised approaches to conservation and protection of endangered species | 3 | 3 | 9 | Escalating | Added by SMT risk review May 2021. Recognised that work remains to be undertaken or is ongoing around these preventative and remedial mitigation measures. Capercaillie emergency plan suggests escalating risk. Bidding for/securing funding and maintaining investment levels against wider budget pressures? | Open | 3 | 3 | 9 | Andy Ford | 11/07/2023 | ||||
| 13 | A28 | All Resources | staffing | Delivery of key outcomes is impacted by staff turnover/internal secondment to projects, particularly in project teams. | Preventative: consider HR solutions to encourage retention Remedial: ensure succession planning and operational risk registers cover this strategic risk | 4 | 3 | 12 | Static | Added following Board reflection on impact of turnover in TGLP Project. Fixed term contracts extended through financial year 2023⁄24 with longer term review pending following funding and budget decisions in late 2023. Anticipated impact of projects (e.g. C2030 & Capercaillie) likely to be short-term. General uncertainty arises from patterns of staff need from project work. | Open | 4 | 3 | 12 | David Cameron | 05/31/2023 | ||||
| 14 | A29 | All Resources | staffing | Increasingly competitive and restricted recruitment climate prevents staff with the required experience and skill sets being secured. Planning and other specialist staff (IT, finance) requirements impacted by national labour/skills shortages and/or salary structures not sufficiently competitive to attract or retain key staff. | Preventative: focus on training and development and internal succession planning, in turn bringing recruitment into less experienced/less highly skilled markets and developing pipeline of qualified staff; consider job design, creating roles with more seniority (higher grades), and flexibility of offer regarding part-time/ job share. Remedial: contingency planning for example around out-sourcing of aspects of delivery eg establish call-off framework for consult planning services. | 4 | 4 | 16 | Static | Added by SMT review 18 Jan 22. Evidence of reducing number of applicants and candidate lists for vacancies ongoing, while trend in unsuccessful recruitment exercises has been acted on with no recent unsuccessful recruitment. Review our salary structures and benchmark these against organisations with whom we might compete for staff, particularly in the local area. Use this evidence to inform future pay structure/awards. | Open | 3 | 4 | 12 | David Cameron | 05/31/2023 | ||||
| 15 | All Resources | staffing | Corporate support and leadership resources are over-stretched by wider demands of supporting national policy development on new national parks and public sector reform. | New | 3 | 2 | 6 | Escalating | Open | 3 | 2 | 6 | David Cameron | 11/07/2023 | ||||||
| 16 | All Resources | staffing,Technical | Supporting speed of organisational change prevents required development and embedding of effective support systems. Teams working in silos is creating pressure and unequal pace of development. Speed of changes around current recruitment to C2030 posts has outstripped Senior Management capacity to forward plan around HR processes associated with those. There needs to be a better established/more formal control that we will only sign off on commencement of organisational development/change activity when we have approved we are confident on our readiness to support it, providing enhanced control over speed of change. | 4 | 4 | 16 | Escalating | Open | 2 | 3 | 6 | David Cameron | 11/07/2023 | |||||||
| 17 | Nature & conservation, Place | Strategic delivery | The Authority does not meet Government or public expectations in our work to safeguard the Natural and Cultural Heritage of the Park (spans conservation activity, giving weight to first aim, addressing wildfire risk etc). | New | 2 | 3 | 6 | Escalating | Open | 2 | 3 | 6 | 11/07/2023 | |||||||
| 18 | Nature & conservation | Strategic delivery | Full service approach to peatland restoration programme creates increased legal and financial liabilities; design of grant scheme is not compliant with best practice | Remedial: commission legal advice to establish a suite of documentation and a more explicit, clear and formal relationship between the Park Authority, the land managers who are taking forward projects, and the contractors; determine the extent to which the legal advice and documentation developed mitigates the identified risks, and whether residual risk is in line with risk appetite, or whether additional mitigations are required. Remedial: take out commercial insurance to cover peatland advice? | 5 | 1 | 5 | Static | Peatland Action is high risk in the sense that the sums of money are large, the science base is limited and we know very little about the long term consequences of peatland restoration. We are working in high altitude sites where climate can be extreme and we are dealing with a lot of uncontrollable variables around eg wildfire, deer behaviour etc. Its also quite high profile work and therefore carries reputational risks for us re land managers, Board, Scot Gov, Ministers etc. It may not be possible to mitigate these risks fully, and we have to accept quite a high degree of risk going forward. However PA is one of the key SG strategies to combat carbon emissions and there is Gov support in every sense for this work. The risk appetite should therefore be quite high. The SLA is our best attempt to mitigate legal risks and I don’t think there is much more we can do beyond that. | Open | 5 | 1 | 5 | Andy Ford | 11/07/2023 | |||||
| 19 | All Resources | staffing | Scottish Government Main Group award 2023⁄25 creates significant financial pressure on the Park Authority’s resource budget for 2024⁄25, with the potential to affect positive relationships with the Union, staff morale and motivation, recruitment and retention. | Preventative: develop pay models to identify the potential cost to the Park Authority of following the Main Group position & consider the impact of potential pay strategies on the developing budget position for 2024⁄25; consider pay award dates and staged awards as tools to meet expectations while maintaining affordability | 4 | 4 | 16 | Escalating | Open | 3 | 4 | 12 | David Cameron | 11/07/2023 | ||||||
| 20 | Place | Strategic delivery, Technical | Lack of expertise and experience in managing construction projects may compromise the effectiveness and efficiency of planned delivery. There are perceived gaps in our skill set with respect to: procurement processes, recruitment of technical staff, ability to undertake necessary due diligence on output from consultants and contractors. There are also financial risks associated with the letting of contracts where partnership funding is likely to be dependent on the achievement of satisfactory standards. | New | 5 | 4 | 20 | Escalating | Construction projects of the size anticipated within the C2030 programme are new to the organisation. We need to improve our knowledge of Construction Design Management Regulations (CDM) and contracts (NEC4). We lack experience in producing briefs and reviewing tenders of this size and type. Improvements in our skill set will also benefit: peatland restoration, river restoration, construction of paths, active travel projects. | Cautious | 3 | 2 | 6 | Murray Ferguson | 11/10/2023 | |||||
| 21 | All Resources | financial | Risk of C2030 match funding not being secured — current match funding in bid not fully committed and/or for one year only in many areas. | Preventative: high profile and ongoing focus for SMT in engaging in influencing to secure the match funding needed from partners; project managers aware of relevant project match funding position and tasked with seeking additional match funding where appropriate. | 0 | 0 |
Note: Some cells are blank in the original document. This markdown table represents the data as accurately as possible from the provided OCR.